lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Mon, 20 Jul 2020 17:10:35 +0000 (UTC)
From:   Kalle Valo <kvalo@...eaurora.org>
To:     Zekun Shen <bruceshenzk@...il.com>
Cc:     unlisted-recipients:; (no To-header on input) security@...nel.org,
        Zekun Shen <bruceshenzk@...il.com>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>, ath10k@...ts.infradead.org,
        linux-wireless@...r.kernel.org, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] net: ath10k: fix OOB: __ath10k_htt_rx_ring_fill_n

Zekun Shen <bruceshenzk@...il.com> wrote:

> The idx in __ath10k_htt_rx_ring_fill_n function lives in
> consistent dma region writable by the device. Malfunctional
> or malicious device could manipulate such idx to have a OOB
> write. Either by
>     htt->rx_ring.netbufs_ring[idx] = skb;
> or by
>     ath10k_htt_set_paddrs_ring(htt, paddr, idx);
> 
> The idx can also be negative as it's signed, giving a large
> memory space to write to.
> 
> It's possibly exploitable by corruptting a legit pointer with
> a skb pointer. And then fill skb with payload as rougue object.
> 
> Part of the log here. Sometimes it appears as UAF when writing
> to a freed memory by chance.
> 
>  [   15.594376] BUG: unable to handle page fault for address: ffff887f5c1804f0
>  [   15.595483] #PF: supervisor write access in kernel mode
>  [   15.596250] #PF: error_code(0x0002) - not-present page
>  [   15.597013] PGD 0 P4D 0
>  [   15.597395] Oops: 0002 [#1] SMP KASAN PTI
>  [   15.597967] CPU: 0 PID: 82 Comm: kworker/u2:2 Not tainted 5.6.0 #69
>  [   15.598843] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
>  BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
>  [   15.600438] Workqueue: ath10k_wq ath10k_core_register_work [ath10k_core]
>  [   15.601389] RIP: 0010:__ath10k_htt_rx_ring_fill_n
>  (linux/drivers/net/wireless/ath/ath10k/htt_rx.c:173) ath10k_core
> 
> Signed-off-by: Zekun Shen <bruceshenzk@...il.com>
> Signed-off-by: Kalle Valo <kvalo@...eaurora.org>

Patch applied to ath-next branch of ath.git, thanks.

bad60b8d1a71 ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n()

-- 
https://patchwork.kernel.org/patch/11621899/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

Powered by blists - more mailing lists